On Wed, Jun 13, 2018 at 11:17:25AM +0200, Reindl Harald wrote: > > > Am 13.06.2018 um 11:11 schrieb Daniel P. Berrangé: > > On Tue, Jun 12, 2018 at 08:00:26PM +0200, Reindl Harald wrote: > >> > >> Am 12.06.2018 um 19:45 schrieb Daniel P. Berrangé: > >>> On Tue, Jun 12, 2018 at 10:20:46AM -0700, Howard Howell wrote: > >>>> I haven't followed all of this thread, too self busy. However there is > >>>> a security argument. If you have a local executable directory, then > >>>> the capability for malicious software to attach is wide open for that > >>>> user, whatever their privelege level might be. > >>>> > >>>> Most businesses that have linux in their suite, won't want a ~/.bin > >>>> anywhere in their organization. > >>> > >>> If a malicious attacker have privileges to create/modify $HOME/.bin/foo, > >>> then they will also have privileges to modify $HOME/.bashrc to add any > >>> directory they wish to $PATH. So that security argument doesn't hold water > >> > >> bullshit - man chattr > >> > >> [root@srv-rhsoft:~]$ touch /home/harry/.bashrc > >> touch: setting times of '/home/harry/.bashrc': Operation not permitted > >> > >> so and now tell me how you override "ls" on my system until some fool > >> adds a user-writeable directory in front of $PATH i am not aware > > > > If you're willing to make custom modifications to prevent user writing > > to their own $HOME, then there's no reason why you can't set a different > > $PATH or also use chattr to prevent use of $HOME/.local/bin > > you don't get it - the more unsecure the defaults are the more likely it > is someone forget such a crazy default like "every random idiot can drop > a binary which overrides basic commands" I completely understand this. If you want to argue that there are things we can do to make Fedora more secure by default ,that is great. My point was about the impact of this proposed change, on the current Fedora defaults, and in that context the proposal does not make Fedora less secure. > in 2018 systems have to become *more secure* insteal less just because > some crap software rely on that don't get fixed - in which languages was > the shit from the discussion written and don#t they provide something > better than fuckup PATH to fix applications? Please moderate your language, this is totally inappropriate. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/IAMNVQ6ZF22FRSCLLMX3NGTOMXR5E3TB/
